The GDPR and POPIA are legislation providing for the protection of personal information, requiring compliance from businesses. The purpose of this article is to provide some information on this legislation.
It is important to bring attention to the GDPR and its application, which will come into effect on the 25th of May 2018. Even though the GDPR is a regulation enacted by the European Union, the regulation will also affect South African businesses.
As this regulation may possibly impact your business, it is important to take note of the GDPR.
The GDPR is a regulation with far reaching application. It will apply to more organisations internationally than is expected offhand.
Locally we have the POPIA (also referred to herein as the Act) which is expected to come into effect in its entirety within the next year.
The GDPR and POPIA are very similar. These two pieces of legislation are two side of the same coin.
The POPIA was enacted in 2013. At the time no one could foresee what the GDPR would entail and it is possible that our own legislation might require some changes and of course in any interpretation of our own POPIA, the GDPR will have to be taken into account.
Why is this important? Businesses should make a determination as to whether the GDPR applies to them, and if so, they should ensure compliance with the regulation. Similarly, all South African businesses have to comply with the POPIA. This is inescapable. If they have not yet put the necessary compliance measures in place, they should be planning to have this done within the timeframes envisaged, which is estimated to be over the next 12 months or so.
If a business needs to comply with both the GDPR and POPIA, it would be advisable to handle the compliance measures requiring implementation, together and not separately. This could result in the business implementing a better data protection programme while complying with both laws, saving time and money.
Effective date: The GDPR comes into effect on 25 May 2018.
Application: The GDPR (Regulation (EU 2016/679) was adopted by the European Parliament. It does not however only apply to organisations located within the European Union (EU) but will also apply to organisations located outside of the EU if they offer goods or services to or monitor the behaviour of EU data subjects. It applies to all companies processing and holding the personal data or information of data subjects residing in the EU, regardless of the company’s location.
In order to determine whether the GDPR applies to your company, you should consider the following questions:
- Do you currently conduct business in the EU and does this entail handling of EU citizen data?
- Are you planning to conduct business in the EU and will this entail handling of EU citizen data?
- Do you process an EU resident’s personal data in connection with goods or services offered to that person?
- Do you monitor the behaviour of individuals within the EU?
- Do you track “individuals on the internet”: This include the potential use of profiling techniques to make decisions about the data subject or for analysing or predicting personal preferences, behaviours or attitudes?
- Are you a non-EU data processor?
- Are you a cloud service provider who stores or hosts personal information of EU data subjects?
- Does your company trade with customers within the EU?
If you answer yes to any of the above questions, the GDPR will apply to you and you will have to comply with the regulation.
The GDPR do not apply to the personal information or data of deceased persons or legal entities. The regulation also does not apply to data processed by an individual for purely personal reasons or for activities carried out at one’s home, provided there is no connection to a professional or commercial activity.
Content and Compliance requirements:
In terms of the GDPR, ‘personal data’ constitutes any information related to a natural person or ‘data subject’, which can be used to directly or indirectly identify the particular person. It can be anything from a name, a photograph, an email address, bank details, posts on social networking websites, medical information and a computer IP address.
This regulation concerns the storage and use of personal information of an identifiable natural person and sets out a data protection framework which will now be applied across the EU. This enhances individual data protection and privacy rights.
The GDPR provides for the protection of personal data and privacy of EU citizens for transactions within the28 EU member states and regulates the exportation of personal data outside the EU.
Companies will only be allowed to store and process personal data when an individual gives consent and cannot hold it for longer than is necessary. The information must be portable from one company to the next and must be erased upon request.
New roles (positions of officials) are established under the GDPR to help maintain and protect personal data records. Data processors manage the data records of businesses which perform activities with this personal information and these data processors will be held accountable in case of data breaches. Data controllers are responsible for ensuring that outside contractors comply with GDPR regulations. A data protection officer is chosen to oversee the data security strategy and the GDPR compliance of a particular business. The GDPR outlines mandatory data breach notifications and grounds for further investigation.
As far as compliance is concerned, businesses have to familiarise themselves with the GDPR and ensure they comply as required. Compliance would include, but not necessarily be limited to the incorporating of binding corporate rules regulating the collection, handling, processing, storing and transferring or destruction of personal data, the appointment and monitoring of data officials, data processors and data protection officers, compulsory reporting of data breaches and the conducting of necessary data protection assessments as may be required.
It is advisable for any business, required to comply with the GDPR, to consult with an expert and obtain the necessary advice on the relevant compliance requirements and initiate a compliance protocol sooner rather than later.
Businesses which do not comply with the GDPR may be fined up to €20 million or 4% of their total worldwide annual turnover. Article 82 of the regulation also provide for individuals with a right to claim compensation for material and non-material damages resulting from privacy breaches.
Effective date: The Protection of Personal Information Act, Act No 4 of 2013 (POPIA or the Act) was signed into law in 2013. It has not been made effective in its entirety as yet. Some parts, dealing with the appointment of the Information Regulator has been effective for some time. The Information Regulator and its members were appointed in 2016 and is responsible for education on POPIA; they will monitor and enforce compliance with the Act once it becomes effective and will handle complaints received relating to abuse of personal information.
Draft Regulations to the POPIA were published for comments in 2017, with the deadline for such comments having lapsed in November 2017. It was envisaged that the Draft Regulations would be submitted to Parliament for tabling in February 2018. The anticipated date of publication of the final Regulations is April 2018. Once the final Regulations have been published, the Information Regulator will announce the coming into effect of the POPIA. As from this date of the POPIA becoming effective, all businesses have a grace period of 12 months to become fully compliant with the Act.
Compliance to the POPIA will be mandatory for most organisations in South Africa. The Act applies to any person or organisation who keeps records relating to the personal information of anyone, unless those records are subject to other legislation, which protects such information more stringently.
‘Personal Information’ is defined in Section 1 of the POPIA and means information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person and includes (but is not limited to) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person; and the name of a person if it appears with other personal information relating to the person or of the disclosure of the name itself would reveal information about the person.
The Act sets minimum standards for the protection of personal information and regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making available such information.
POPIA does not apply to personal information processed in the course of personal or household activities, or where the processing authority is a public body involved in national security, defence, public safety, anti-money laundering, or by the Cabinet, or Executive Council of the Province or as part of a judicial function.
In terms of Section 11 of the POPIA, personal information may only be processed with the consent of the data subject, if it is necessary for the conclusion or performance of a contract to which the data subject is a party, if it is required by law or if it protects a legitimate interest of the data subject or if it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.
The Act offers many safeguards regarding using personal data and primarily protects individuals from unsolicited emails and SMS’s for services that they never applied for, as well as against any security breaches that could result in identity theft, when personal information is stolen or offered too freely by third parties.
Content and Compliance requirements:
The aim of the POPIA is to ensure that personal information is collected, managed, kept and disposed of in the correct (prescribed) manner. Personal information is kept in the form of data in databases or systems as well as in the form of documents or records.
POPIA provides for 8 conditions for the lawful processing of personal information in Section 4.
These 8 conditions are as follows:
- Accountability: The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining of the purpose and form of the processing of personal information.
- Processing limitation: personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Purpose specification: personal information may only be processed for specific, explicitly defined and legitimate reasons.
- Further processing limitation: personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- Information quality: The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
- Openness: The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
- Security safeguards: personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
- Data subject participation: Data subjects may request whether their personal information is being held by a particular business. They may also request the correction or amendment of their personal information or the deletion thereof from the business’ records.
We only explain these 8 conditions shortly above, as the content of the conditions are quite extensive and prescriptive in the Act. Compliance in terms of these conditions is required and translates to the proper management, retention and disposal of records.
In order to achieve this compliance goal, a business should develop and adopt a plan or programme which is structured. This plan will have to be in the form of a manual which should be accessible to any person who wishes to see in what manner your business deal with personal information.
In terms of POPIA requirements, the manual will inter alia make provisions for the way in which records are captured, kept and maintained. Those records (personal information) which are relevant to a specific purpose, may only be kept for the length of time for which they are required and may only be used for the purposes for which they were collected in the first instance. Information/records are required to be kept up to date.
In terms of POPIA, records and information need to be destroyed when their purpose has been served. A disposal programme will have to be incorporated into the manual, to ensure that the required information and records (including records not necessarily typically regarded as personal information records and duplicate records/files) are disposed of timeously and in the correct manner.
POPIA requires that every business appoints an Information Officer: The duties and responsibilities of this Information Officer as well as the designation of responsibilities to deputy information officers are detailed in Sections 55 and 56 of the POPIA. The Information Officer will primarily be tasked with the responsibility to encourage compliance with the conditions for the lawful processing of personal information. He or she will deal with any requests made to or by the Information Regulator. He or she will be tasked with implementing the compliance framework, taking adequate measures and standards to ensure POPIA compliance. He or she will also be responsible for conducting preliminary assessments to determine the need and requirements, and develop the manual required (POPIA and PAIA), have it inspected and lodged with the Information Regulator.
The information officer also has to implement measures and systems to process requests for or access to personal information and provide POPIA awareness training in his or her business.
The Information Officer has to be registered as such, by his or her business (or employer), with the Information Regulator, after which he or she will be allowed to act as and perform the duties of an Information Officer.
POPIA further deals with specific provisions for instances where prior authorisation is required by a business before it can process certain kinds of personal information. The Act also elaborates on Codes of Conduct which may be issued by the Information Regulator from time to time which will of course also have to be complied with by businesses.
The Act has very specific directives with regard to the transfer of information outside of South Africa. Personal information may not be transferred outside of South Africa unless the third party to whom the information is being transferred to is also subject to similar laws, binding corporate rules or agreements which will ensure the adequate protection of such personal information.
The Act provides for the rights of data subjects. All data subjects have the right to have his or her or its personal information processed in accordance with the conditions for the lawful processing of personal information and the Act elaborates quite succinctly on the various rights data subjects are entitled to in subsections 5(a) to (i). Everyone has, amongst other rights, the right to know if someone is collecting their personal information, or if their personal information has been accessed by an unauthorised person.
Compliance with the POPIA will be enforced by the Information Regulator and non-compliance will be penalised. In Chapter 10 (Sections 73 to 99) of the Act, the way in which compliance may be enforced, is clearly set out.
It is important to take note of the following: Interference with the protection of the personal information of a data subject consists of (in relation to that data subject) (i) any breach of the conditions for the lawful processing of personal information and (ii) non-compliance with sections 2220, 5421, 6922, 7023, 7124 or 7225 of the Act, or a breach of the provisions of a code of conduct issued by the Information Regulator26.
Any interference with the protection of personal information of a data subject or breach as contemplated in the above section may be reported to the Information Regulator, who may take action on such complaint by way of launching an investigation. The Act provides for the way in which the Information Regulator may deal with complaints and details procedures for investigations, referrals, notices, settlements, the issue of warrants (searches and seizures), appeal processes, civil remedies and so forth.
Chapter 11 of POPIA deals with offences, penalties and administrative fines. Important to note is the fact that any person convicted of an offence in terms of POPIA, for the contravention of sections 10027, 103(1)28, 104(2)29, 105(1)30, (3)31 or (4)32, may be fined or imprisoned for a maximum of 10 years, or may be both fined and imprisoned for a maximum of 10 years. Any person convicted of an offence in terms of POPIA, for the contravention of sections 5934, 10135, 10236, 103(237) or 104(1)38 may be fined or imprisoned for a period of up to 12 months or may be both fined and imprisoned for a period of up to 12 months.
In addition to the above penalties (possible criminal liability) the Information Regulator may also impose administrative fines.
The Information Regulator:
The Information Regulator has commenced it business and is in the initial stages of exercising its mandate in terms of the POPIA. Many businesses are very concerned about the penalties prescribed in terms of the Act due to the fact that non-compliance may result in criminal prosecution. With this in mind, one contemplates the expected effectiveness of the Information Regulator, how it will deal with complaints and the nature of complaints the Regulator will deal with on a general/regular basis.
In a Press briefing by the Information Regulator dated 20 September 2017, the Regulator indicated that it had already received 107 complaints at that time. These complaints related to the unlawful processing of personal information and access to information. An analysis of these complaints by the Regulator revealed that a majority of the complaints related to the industries of: banking, insurance and telecommunications. They also indicated that most of the complaints related to direct marketing through unsolicited electronic communications.
One could expect that the trend will persist and should take care and have regard to the contents of the Act and comply with POPIA as required.
Short comparison between the GDPR and the POPIA:
As said before, the GDPR and POPIA are very similar. Most of the definitions in the regulation and act are similar. There are some differences with regards to the terminology used and the description of the ‘officers’ who are the key responsible persons to ensure compliance and safekeeping of information.
One of the key differences between the GDPR and POPIA is that the GDPR does not protect legal entities. Also, the GDPR defines genetic data. It compels data controllers to do data protection impact assessments. It is obligatory in terms of the GDPR for only certain businesses to have a data protection officer. Similarly, some businesses (SME’s) are exempt from keeping records. The GDPR also deals with the “right to be forgotten” and data portability.
POPIA makes it obligatory for every business to have a data protection officer which should be registered with the Information Regulator. POPIA also applies to the personal information of both private individuals as well as legal entities.
The fines for non-compliance in terms of the GDPR are much higher than in the POPIA. But in POPIA, non-compliance may constitute a criminal offence, which is not the case with the GDPR.
With POPIA, the focus should be and is inevitably on compliance. The way in which compliance is implemented should be done in such a way that the process and system add value to business. It should allow for improvements in efficiencies and effectiveness within the business and should affect various aspects of the business structure and culture, operation, security and integrity.
Again, it is advisable to obtain expert advice in the process of implementation of a compliance framework. It is also advisable to ensure at the same time, that the business is fully compliant with not only POPIA, but also PAIA, the Consumer Protection Act, the National Credit Act and Access to Information, to name only a few. There is indeed an extensive list of legislation that will or may, depending on the circumstances, impact on the POPIA compliance process.
Whether your business has to comply with POPIA alone, or both POPIA and GDPR, it is suggested you obtain advice from an expert consultant specialising in compliance with regard to the protection of personal information legislation.
If you have any enquiries, please contact Lorraine Oosthuysen at email@example.com
Protection of Personal Information Act No. 4 of 2013, Government Gazette Vol 581, 26 November 2013
POPIA Papers: Data Protection in the EU – CCASA publication on the GDPR, April 2018
www.justice.gov.za/inforeg/ (Information Regulator (South Africa))
http://hrtorque.co.za/downloads/popi-may15.pdf • https://ec.europa.eu/info/law/law-topic/data-protection_en Denton’s Guide on the GDPR: Pdf https://www.google.co.za/search?q=dent